bazarloader | dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 08:18

Target

6ccf11aecc3b829698cdf1972f5d8732.dll
Size

1.2MB
MD5

6ccf11aecc3b829698cdf1972f5d8732
SHA1

983f34b013186bdb199692022f5f1b84db37765e
SHA256

dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10
SHA512

8b723631a08aafcb4ff20d1460d7740ca5ab2dc7c97528e986201b35bef542fe34061748b984cb4cfeb0f56e36a4362b55cc66e4ca4f065198295b42f671fa83
SSDEEP

12288:6yWeahQ/LWnzkXz5HYrniajhuSlHJzJBlPXXo/6aNdCaBSPZC1XZV72BZ:HWeaZzqY7dhBjz/lfo/FIyXv72BZ

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4308-0-0x00000275DB1E0000-0x00000275DB21C000-memory.dmp	BazarLoaderVar5
behavioral2/memory/4308-1-0x00007FFE9BF80000-0x00007FFE9C101000-memory.dmp	BazarLoaderVar5
behavioral2/memory/4308-3-0x00000275DB1E0000-0x00000275DB21C000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 14 IoCs

Processes:

rundll32.exe

Tries to connect to .bazar domain 4 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow ioc

52 greencloud46a.bazar
60 whitestorm9p.bazar
68 yellowdownpour81.bazar
51 greencloud46a.bazar
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 195.10.195.195
Destination IP 195.10.195.195
Destination IP 195.10.195.195
Destination IP 194.36.144.87
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 43 https://api.opennicproject.org/geoip/?bare&ipv=4

description	flow	ioc
HTTP URL	43	https://api.opennicproject.org/geoip/?bare&ipv=4

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ccf11aecc3b829698cdf1972f5d8732.dll,#1
1⤵
- Blocklisted process makes network request
PID:4308

memory/4308-0-0x00000275DB1E0000-0x00000275DB21C000-memory.dmp

Filesize
240KB

Download
memory/4308-1-0x00007FFE9BF80000-0x00007FFE9C101000-memory.dmp

Filesize
1.5MB

Download
memory/4308-3-0x00000275DB1E0000-0x00000275DB21C000-memory.dmp

Filesize
240KB

Download